[linux] 01/01: media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 3 00:37:08 UTC 2015


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit d21a1e95ec7b89dce1c6915f639a517b1aa4dc5c
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 2 23:10:20 2015 +0000

    media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
    
    This is a dependency of "media: usbvision: fix crash on detecting device with
    invalid configuration".
---
 debian/changelog                                   |  1 +
 ...sion-fix-crash-on-detecting-device-with-i.patch |  2 +-
 ...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 87 ++++++++++++++++++++++
 ...sbvision-fix-overflow-of-interfaces-array.patch |  2 +-
 debian/patches/series                              |  1 +
 5 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 430d8c4..a37dc2a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux (3.16.7-ckt20-1+deb8u1) UNRELEASED; urgency=medium
   * [x86] KVM: rename update_db_bp_intercept to update_bp_intercept
 
   [ Ben Hutchings ]
+  * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
   * media: usbvision: fix crash on detecting device with invalid configuration
     (CVE-2015-7833, partly fixed in 3.16.7-ckt11-1+deb8u6)
   * splice: sendfile() at once fails for big files (Closes: #785189)
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index 656e126..9968add 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -17,7 +17,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/usb/usbvision/usbvision-video.c
 +++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1545,9 +1545,23 @@ static int usbvision_probe(struct usb_in
+@@ -1546,9 +1546,23 @@ static int usbvision_probe(struct usb_in
  
  	if (usbvision_device_data[model].interface >= 0)
  		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
new file mode 100644
index 0000000..00cfed1
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -0,0 +1,87 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in
+ usbvision_probe()
+Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1522,7 +1522,7 @@ static int usbvision_probe(struct usb_in
+ 	const struct usb_host_interface *interface;
+ 	struct usb_usbvision *usbvision = NULL;
+ 	const struct usb_endpoint_descriptor *endpoint;
+-	int model, i;
++	int model, i, ret;
+ 
+ 	PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ 				dev->descriptor.idVendor,
+@@ -1531,7 +1531,8 @@ static int usbvision_probe(struct usb_in
+ 	model = devid->driver_info;
+ 	if (model < 0 || model >= usbvision_device_data_size) {
+ 		PDEBUG(DBG_PROBE, "model out of bounds %d", model);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	printk(KERN_INFO "%s: %s found\n", __func__,
+ 				usbvision_device_data[model].model_string);
+@@ -1546,18 +1547,21 @@ static int usbvision_probe(struct usb_in
+ 		    __func__, ifnum);
+ 		dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ 		    __func__, endpoint->bmAttributes);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	if (usb_endpoint_dir_out(endpoint)) {
+ 		dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ 		    __func__, ifnum);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 
+ 	usbvision = usbvision_alloc(dev, intf);
+ 	if (usbvision == NULL) {
+ 		dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_usb;
+ 	}
+ 
+ 	if (dev->descriptor.bNumConfigurations > 1)
+@@ -1576,8 +1580,8 @@ static int usbvision_probe(struct usb_in
+ 	usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ 	if (usbvision->alt_max_pkt_size == NULL) {
+ 		dev_err(&intf->dev, "usbvision: out of memory!\n");
+-		usbvision_release(usbvision);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_pkt;
+ 	}
+ 
+ 	for (i = 0; i < usbvision->num_alt; i++) {
+@@ -1612,6 +1616,12 @@ static int usbvision_probe(struct usb_in
+ 
+ 	PDEBUG(DBG_PROBE, "success");
+ 	return 0;
++
++err_pkt:
++	usbvision_release(usbvision);
++err_usb:
++	usb_put_dev(dev);
++	return ret;
+ }
+ 
+ 
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index 0176090..0092dd2 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -17,7 +17,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/usb/usbvision/usbvision-video.c
 +++ b/drivers/media/usb/usbvision/usbvision-video.c
-@@ -1536,6 +1536,13 @@ static int usbvision_probe(struct usb_in
+@@ -1537,6 +1537,13 @@ static int usbvision_probe(struct usb_in
  	printk(KERN_INFO "%s: %s found\n", __func__,
  				usbvision_device_data[model].model_string);
  
diff --git a/debian/patches/series b/debian/patches/series
index 967e126..bff7de3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -643,6 +643,7 @@ debian/ehci-fix-abi-change-in-3.16.7-ckt19.patch
 bugfix/x86/kvm-svm-unconditionally-intercept-DB.patch
 bugfix/x86/kvm-x86-rename-update_db_bp_intercept-to-update_bp_i.patch
 bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
+bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
 bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
 bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list